Security Holes Exposed In Trend Micro, Websense, Open Source DLP

Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.

BLACK HAT USA — LAS VEGAS — A pair of researchers here last week named names of the data loss prevention (DLP) products in which they found security vulnerabilities.

Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, "Stay Out of the Kitchen: A DLP Security Bake-off," to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.

At the heart of most of the bugs were the web-based interfaces of the products, namely the administrative panels. "Most of the flaws were in web admin interfaces," Lanier told Dark Reading.

The researchers were unable to pinpoint any major issues with HP's Keyview document parsing/filtering engine used by many DLP and big data products. "Keyview has some really interesting idiosyncrasies and some complex code that might have bugs... We really didn't find a whole lot," he says, but the pair plans to dig further into Keyview in subsequent research.

Overall, they found there was little or no hardening of Linux appliances, with many services running as root, and no exploit mitigation defenses in the software. "We found the occasional bug inheritance, such as Heartbleed," Lanier says.

Lanier and Lum did not find any specific bypass vulnerabilities in the DLP software they tested, but they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.

While the Sophos products came up clean in their testing, the researchers found bugs in Trend Micro, Websense, and OpenDLP's software.

They found multiple cross-site scripting (XSS) flaws in the Trend Micro management console as well as a cross-site request forgery (CSRF) bug. "There was a lot of cross-site scripting in this," said Lum. "But the CSRF was concerning to me," she said, because an attacker could turn off or change the DLP filter with an exploit.

Trend Micro is investigating the researchers' report, according to Jonn Perez, director of global technical support operations at Trend Micro. "Trend Micro takes any report of a product vulnerability very seriously... Our development team is currently in the process of validating this claim," Perez said in a statement. "If we determine that a fix is necessary, it will be treated as an immediate priority as part of our product vulnerability response process."

Lanier and Lum also found remote code execution and privilege escalation flaws in Websense's Protector and Endpoint software. The bugs could allow a nefarious or unauthorized local admin on a TRITON server to replace files with "custom pickled objects," the researchers say.

Websense also is investigating the findings, and said in a statement that the company is awaiting an official vulnerability report:

"While we still do not yet have complete details of the presentation, based on conversations with the researcher we understand that he has identified a medium risk vulnerability in Websense data security services.

The researcher has verified that the particular process demonstrated in his session relies on a privileged insider with access to the local network and with administrative rights to both the server and the management console. The researcher also indicated that remote exploitation of this vulnerability is not possible.

We are currently awaiting the official vulnerability report from the researcher. However, based on our current knowledge, prior to the presentation Websense reached out to our affected customer base and provided them with best practices for mitigating the risk of the vulnerability. In addition to the mitigation tips we have shared, Websense will provide a fix for these vulnerabilities before the end of August. We will make also make other adjustments in our future releases and vulnerability testing process."

OpenDLP, meanwhile, has a CSRF flaw, the researchers found.

Lanier and Lum warn that the bugs they found could allow an attacker to disable or alter DLP policies, or even remove a document out of quarantine, and siphon its contents, for example.

Lanier was a guest on Dark Reading Radio last month for the "Data Loss Prevention (DLP) FAIL" episode, where he discussed the flaws he and Lum found as well as concerns about DLP security issues. The archive is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

You can blame the vendors all you want, but if you read carefully, it's requires a rogue local admin to take advantage of a vulnerability. What you should really be amazed with is the poor background check of employees. Too often, organizations hire loose-cannons, who would are and always have been known as "the greatest threat". Organizations need to focus on their personnel just as much, and need to vet out those who are likely to hold a grudge for whatever personal reason.

What's so baffling is that these are SECURITY companies. Sure, they have software dev of their own, but it's discouraging if they're not practicting what they preach. No one expects software to be perfectly clean and free of all bugs, but you would think they would regularly vet the stuff. <sigh>

It's always frustrating to hear that security controls are, themselves, insecure. It's also frustrating to hear that the Web-facing side is the problem. Lately the security world has been talking alot about passwords (and rightly so) but now that so much sensitive activity happens online, I'd like companies to get more serious about Web apps' security.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.